Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Search instead for
Did you mean:
Using MS-CHAP Authentication for PPTP with IOS
This document talks about a PPTP config on IOS using MS-CHAP v2 for authentication. The config as per the Cisco Documentation for using PPTP on IOS uses "pap chap ms-chap-v2" for authentication. However, assume that the config is as follows :
Using ms-chap-v1 or ms-chap-v2 in such a scenario prevents the PPTP connection to go through successfully and throws up an authentication error in the debugs. The router would request the user for the "username" and "password" however, would throw up the authentication error. The error that you would encounter in the "ppp debugs" are as follows:
000503: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Sent MSCHAP LOGIN Request 000504: *Jan x xx:xx:xx.yyy PST: ppp32 PPP: Received LOGIN Response FAIL 000505: *Jan x xx:xx:xx.yyy PST: ppp32 MS-CHAP: O FAILURE id 3 len 13 msg is "E=691 R=1"
However, the same connection goes through successfully while using the following configuration, ie pap chap :
ppp authentication pap chap A little understanding of the way MS-CHAP works provides the solution to this problem. Configuring the username with the "password" keyword rather than the "secret" keyword while using "ms-chap-v2" or "ms-chap" for authentication fixes the problem:
username test secret <hashed-value-of-password> privilege x -----> Wrong
username test password <password-string> privilege x -----> Correct
This particular configuration implied that the configured password was already hashed on the router. Hence, during the PPTP authentication, when the client was sending the encrypted password using MS-CHAP, the router created a hash of the already encrypted password and tried to match it with the one sent by the client. This caused an authentication error.
Solution:Changing the creation of the username from using the "secret" keyword to the "password" keyword fixed the issue.